The equals() function landed with this cast in 2015, although previously it was used only as a part of asserts and now it appears it is used more broadly.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Xianzhu, I wonder if any of your CLs:

1) https://chromium.googlesource.com/chromium/src/+/0e615407319a0aa91de9166e653ad341e7681033

2) https://chromium.googlesource.com/chromium/src/+/0a848fcd4d159ff31f30aa20f4c0d6fd7a6a4123

3) https://chromium.googlesource.com/chromium/src/+/ecaad1e063c8e6c7033733a040250e38d1ddee28

4) https://chromium.googlesource.com/chromium/src/+/5d28b2b610719d4d1c4d1fd7f8a74e8dfeba0d33

This happens only when a blink feature (PaintUnderInvalidationChecking) is enabled. The feature can be programatically enabled in content_shell only, so this doesn't affect normal users.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d5803f330a4355c1d11e86e388d1bbb2e25b2b08

commit d5803f330a4355c1d11e86e388d1bbb2e25b2b08
Author: Xianzhu Wang <wangxianzhu@chromium.org>
Date: Tue Nov 21 05:01:09 2017

[PE] Restore tombstone during PaintUnderInvalidaitonChecking

In the following case:
The current display items are:
  BeginClip
    Draw
  EndClip
and nothing has been invalidated, and we are generating the following
new display items:
  BeginClip
  EndClip
  BeginClip
    Draw
  EndClip
and both BeginClips equal to the old BeginClip.

When the first BeginClip is matched, the old BeginClip is moved to the
new display item list and becomes a tombstone. Then the BeginClip is
removed as a part of a no-op pair. Then when we generate the second
BeginClip we would compare it against the tombstone.

Now restore the tombstone to BeginClip when removing a no-op pair.

This mess applies to SPv1 only.

Bug:  786754 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I9d326585242b44501ed11807db12341c7754828b
Reviewed-on: https://chromium-review.googlesource.com/779304
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#518126}
[modify] https://crrev.com/d5803f330a4355c1d11e86e388d1bbb2e25b2b08/third_party/WebKit/Source/platform/graphics/paint/DisplayItem.h
[modify] https://crrev.com/d5803f330a4355c1d11e86e388d1bbb2e25b2b08/third_party/WebKit/Source/platform/graphics/paint/DisplayItemList.h
[modify] https://crrev.com/d5803f330a4355c1d11e86e388d1bbb2e25b2b08/third_party/WebKit/Source/platform/graphics/paint/PaintController.cpp
[modify] https://crrev.com/d5803f330a4355c1d11e86e388d1bbb2e25b2b08/third_party/WebKit/Source/platform/graphics/paint/PaintControllerTest.cpp

ClusterFuzz has detected this issue as fixed in range 518061:518147.

Detailed report: https://clusterfuzz.com/testcase?key=5449968910598144

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0fc2c2028400
Crash State:
  Bad-cast to const blink::BeginTransformDisplayItem from blink::DisplayItem
  blink::BeginTransformDisplayItem::Equals
  blink::PaintController::CheckUnderInvalidation
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=514498:517702
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=518061:518147

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5449968910598144

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5449968910598144 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot